Show cloud-native applications in an iframe
GitLab is a single application for the entire DevOps lifecycle.
For cloud native application development you need:
- Jaeger for tracing, this application doesn't have a stable API yet
- Kiali https://www.kiali.io/ to look at the traffic of your service mesh
- Loki https://grafana.com/loki for log exploration
We needs this applications quickly with minimum effort.
The easiest thing is to embed them in an iframe, for example Kiali does this with Jaeger.
The problem is that these applications run on a cluster of the user, so they can replace it with an evil application.
This evil application might be used to gather login credentials and it would show with the proper url, for example https://gitlab.com
We should make sure that the page of the iframe is only shown to logged in users that belong to the specific project. This means you can only hack people that have access to your project. So you would have to invite people you want to phish. When people do this we should make it easy to leave the project and report abuse https://gitlab.com/gitlab-org/gitlab-ce/issues/59421
When you load the page we should greet people by name (showing they are logged in) and say that if this page asks for a login and or password they should not enter it and report it as abuse, for example:
Welcome Sid, if this page asks for a password please don't enter it and report abuse via the button in the top right